Spread our blog

Retrieving Data From Archive State

Hi guys !!

Today we will learn new and interesting things.

You all know that Indexer indexes data or store data in directories. These Directories are called buckets. In splunk buckets have 4 stages. When new data is coming ,it stores in Hot bucket . And after some time the data will go in Warm Bucket. Then it will go to Cold Bucket. Lastly it will go to Frozen Bucket, in this state the data will be deleted.

If you want to archive the data in frozen state i.e. before the data gets deleted storing them into different location. So, how we will archive the data that is the topic of today.

First of all we will configure the indexer to archive the data when it freezes. It means configuring the “indexes.conf”  in the following location:

$SPLUNK_HOME$/etc/apps/search/local

After that, open the indexes.conf and add two lines under the index which is written below –

[arihant]
frozenTimePeriodInSecs = 20
coldToFrozenDir = /root/art

Here, the ‘arihant’ is the index name and under this stanza two attributes will be added. First attribute will be ‘frozenTimePeriodInSecs’, in this attribute we will mention the time period. After the  time period the data will go in frozen state. The second attribute will be ‘coldToFrozenDir’, and in this attribute we will mention the directory or the location where the archived data will be stored. Then After the time period, the data will get archived in the specified directory.

Now, we will restore the archived data in our Splunk  Environment. First of all we will go in the directory and perform some steps given below.

# cd /root/art
# cp -r db_1181756465_1162600547_1001 $SPLUNK_HOME/var/lib/splunk/arihant/thaweddb

NOTE: Here, 1001 is the bucket id. This Id cannot be same with another bucket id in same index. If the bucket id is same then it will create conflicts.

The db file will be copied in the thawed bucket and then it will go in bin directory of splunk. By Using  Rebuild command, we will restore the  data in index. After this restart splunk.

# ./splunk rebuild $SPLUNK_HOME$/var/lib/splunk/arihant/thaweddb/db_1550154442_1550154442_1001
# ./splunk restart

 

Now you can see the data in your index which had gone into frozen state.

Hope, this has helped you in achieving the below requirement without fail:

You can also know about :  Failed to start KV Store process. See mongod.log and splunkd.log for details

Retrieving Data From Archive State

Happy Splunking  !! 

What’s your Reaction?
+1
+1
3
+1
+1
+1
7
+1
1
+1
1

Spread our blog
Previous articleSend Specific Events To A Specific Index
Next articleBREAK_ONLY_BEFORE_DATE
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here